Concept definition for Industrial Elevator Control System — SIL 3 safety core with 8 hazards across 7 operating modes
System
The {{entity:Industrial Elevator Control System}} ({{hex:51F77A58}}) is an integrated electronic control system managing traction motor drives, floor positioning, car/hall call dispatch, door operators, and safety chain monitoring for industrial freight and passenger elevators. It operates in commercial buildings, factories, and warehouses, controlling cars carrying up to 5000 kg at speeds up to 6 m/s across 30+ floors. Safety-critical to IEC 61508 SIL 3 for overspeed protection and uncontrolled car movement prevention, with compliance to EN 81-20/50, EN 81-72 (fire), EN 81-77 (seismic), and EU Lifts Directive 2014/33/EU. The system’s 20-25 year lifecycle with modernisation cycles demands long-term maintainability and backwards-compatible interfaces.
ConOps
Seven operating modes define the system’s lifecycle: {{trait:Intentionally Designed}} initialisation (15-60s self-test), normal operation (group dispatch, VFD motor control, continuous safety monitoring), degraded operation (reduced capability on non-critical faults), emergency shutdown (overspeed/uncontrolled movement triggers mechanical braking), fire service (EN 81-72 Phase I/II recall and firefighter control), maintenance (0.3 m/s car-top operation), and seismic operation (EN 81-77 P-wave response with post-event inspection trip).
Six ConOps scenarios ground the operational concept. The morning rush scenario exercises group dispatch under up-peak load — 200+ passengers, <30s wait target, 80% load bypass. The single-car-failure scenario tests degraded dispatch rebalancing and escalation to critical degraded mode. Power failure exercises the ARD battery rescue sequence including accessibility concerns (wheelchair user between floors). Fire recall validates Phase I non-stop recall with fire-floor lockout and Phase II firefighter manual control. Quarterly maintenance defines the EN 81-20 inspection protocol — 2-4 hours per car with car-top riding. The seismic scenario exercises P-wave detection, safe hold, and post-event inspection trips.
Hazard Register
| ID | Description | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|---|
| H-001 | Uncontrolled car movement (contactor weld, drive/logic fault) | Catastrophic | Rare | 3 | Motor de-energised, mechanical brake, UCMP activated |
| H-002 | Overspeed in down direction (VFD/brake failure, rope slip) | Catastrophic | Rare | 3 | Governor trips, progressive safety gear engages |
| H-003 | Door zone entrapment (closing doors, car/landing gap) | Critical | Medium | 2 | Doors re-open <3s, force limited to 150N |
| H-004 | Car levelling failure (>±10mm from floor) | Major | Medium | 1 | Re-levelling to ±5mm, doors held closed |
| H-005 | Power failure with passengers trapped | Critical | Low | 2 | ARD drives to nearest floor, doors open, intercom |
| H-006 | Hoistway flooding/fire exposure | Critical | Low | 2 | Fire recall, motor de-energised, pit sump active |
| H-007 | Counterweight derailment (seismic, rail failure) | Catastrophic | Rare | 3 | Seismic mode, car stopped, brakes engaged |
| H-008 | Drive EMI corrupts safety signals | Critical | Low | 2 | Safety controller detects discrepancy, e-stop |
Cross-domain analogs: {{entity:Interlock and Emergency Shutdown System}} ({{hex:51B77A59}}) from offshore oil and {{entity:Emergency Shutdown and Evacuation System}} ({{hex:54FD7A59}}) from naval CMS both share the dual-channel safety monitoring and mechanical-brake safe-state pattern relevant to H-001/H-002.
Stakeholders
| Role | Hex | Relationship | Cross-Domain |
|---|---|---|---|
| Building Occupant / Passenger | {{hex:00084011}} | Primary user, hall/car call interaction | Hospital patient (mobility needs) |
| Maintenance Technician | {{hex:00042AF8}} | Exclusive hoistway access, EN 81-20 inspection | Railway signalling maintainer |
| Building Facility Manager | {{hex:000C5AF8}} | Day-to-day BMS operation, emergency coordination | Warehouse operations manager |
| Fire Service | {{hex:01857AF9}} | Phase I/II fire recall, manual override | Naval damage control team |
| Regulatory Inspector | {{hex:000038F8}} | Annual statutory inspection, authority to condemn | Nuclear safety inspector |
| OEM / System Integrator | {{hex:40A43A58}} | Design, install, commission, lifecycle support | Railway signalling OEM |
Operating Environment
Thermal: 0-50°C hoistway ambient, ≤40°C machine room, 5-95% RH non-condensing. Below-grade pits subject to flooding. EMC: VFD switching at 4-16 kHz, EN 12015/12016 compliance, 10 V/m radiated immunity, mandatory shielded cabling for safety circuits. Power: 3-phase 400VAC/50Hz dedicated supply, regenerative braking, UPS (30 min), ARD batteries (3 rescue cycles), IEC 60364 grounding. Physical: machine-room or MRL configuration, IP54 minimum pit equipment, car-top inspection station.
External Interfaces
| External System | Interface | Hex |
|---|---|---|
| Building Management System | BACnet/IP or Modbus TCP, 1Hz bidirectional | {{hex:50AD7B48}} |
| Fire Alarm Panel | Hardwired relay (not software), Phase I recall, smoke detectors | {{hex:D4AD7858}} |
| Access Control System | RS-485/IP, authorised floor list per credential | {{hex:50BD7819}} |
| Emergency Intercom | Two-way voice, auto-dial on entrapment, EN 81-28, GSM backup | {{hex:D4FD7A58}} |
flowchart TB
IECS["Industrial Elevator Control System"]
BO(["Building Occupants"])
MT(["Maintenance Technician"])
FM(["Facility Manager"])
FS(["Fire Service"])
BMS(["Building Management System"])
FAP(["Fire Alarm Panel"])
ACS(["Access Control System"])
EI(["Emergency Intercom"])
BPS(["Building Power Supply"])
BO -->|Hall/car calls| IECS
IECS -->|Floor indicators, audio| BO
MT -->|Maintenance commands| IECS
IECS -->|Diagnostics, faults| MT
IECS -->|Status, alarms, energy| FM
FS -->|Phase II manual commands| IECS
BMS -->|Schedules, VIP priority| IECS
IECS -->|Position, door state, faults| BMS
FAP -->|Phase I recall, smoke| IECS
ACS -->|Authorised floor list| IECS
IECS -->|Auto-dial on entrapment| EI
BPS -->|3-phase mains, UPS, ARD| IECS
Next
The scaffold session (436) should derive stakeholder requirements from the ConOps scenarios, focusing first on safety-critical requirements driven by the three SIL 3 hazards (H-001 uncontrolled movement, H-002 overspeed, H-007 counterweight derailment). The overspeed governor and UCMP subsystems are the highest-risk architectural elements and should be decomposed earliest. The fire service mode interface (hardwired, not software) imposes a key architectural constraint — the safety chain must be independent of the main controller.